Injection vulnerability in RadButton
Our company is using HCL AppScan to expose possible security vulnerabilities. Recently, the scans have started returning issues of high severity related to Blind LDAP Injection because the parameters of the hidden ClientState for RadButtons, such as buttonAbort_ClientState, can be appended to affect the response.
The test uses the following logic:
Four requests are sent.
The last is logically equal to the originalThe next-to-last is different. Any others are for control purposes.A comparison of the last two responses with the first (the last is similar to it, and the next-to-last is different) indicates that the application is vulnerable.
These are not LDAP issues since LDAP is not implemented on the server but our security team in concerned this is a vulnerability because the parameter can be appended without sanitization.
Is there legitimate reason for concern? If so do you have any suggestions for remediation. We are using version 2023.1.323.45.
Regards, Joel